Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
News Your Rights Online

'Hacking' To Be Declared Illegal 495

sowalsky writes sent us an MSNBC story that talks about hacking being declared illegal. Talks about the difference between hacking and cracking, but more importantly, how the Draft Cybercrime Treaty would make things like BugTraq illegal, as publishing exploits would be aiding and abetting.
This discussion has been archived. No new comments can be posted.

'Hacking' to be Declared Illegal

Comments Filter:
  • by Anonymous Coward

    The Council of Europe has promised to provide a list of exceptions to the treaty, and professional network administrators will likely end up exempt.

    Does this mean that just because I'm a home user/developer (not a 'professional network administrator') I can't run nmap on my system? And who determines 'professional network administrator'? Do I need a note from my boss? Or do I have to register with the gov't? I do administer two systems at home, and I do some development for work on them. Am I a professional or an amateur? What about someone in school who's learning sysadmin? Do they need a letter from their teacher saying they're allowed to look at Bugtraq? Maybe we could just make all the security sites and mailing lists government entities. You register with your SSN and passport number, and, if you have no priors, then you can see what's going on.

    grrrr . . .

  • Very few. A lot of them were high-profile though.
  • I've been approached by a private investigator reciently. Someone on disability appears to be running a buisness from his house, the invistigator wants to know if I can break into his comptuer and collect evidence.

    Note that I have not aggreed to the above, and will not until I get more information. However we can all agree that IF fraud is committed the evidence I collect would be honest, but if not I would be stepping over the line. So are cracking tools illegal? The private investigator can presumably use lock picks (bugler's tools which are illegal to possess) to break into this person's house to collect evidence. (THe law is very shady here)

  • A loaded gun does not nessicarly kill someone. I've handled a loaded gun several times, and yet none of those guns have killed someone. If the gun is not treated like it will kill someone, yet it probably will (at some time) injure someone. Even then though, there are few places were you can get shot and killed making accidents more likely to require a hospital stay then a funeral. Ronald Reagon was shot in 1982(?), and it didn't kill him. Many others have been shot and not died.

    A gun can kill people. So can a knife. A gun can also put food on a poor person's table. A gun can make for an enjoyable afternoon of target practice. A knife can cut an onion. A baseball thrown at someone's head can kill. A baseball bat can kill someone. Combine the bat and ball and you have America's favorite passtime.

  • We (the USA) learned that lesson the hard way in the 1920s, with prohibition.

    I think it's rather obvious that we learned nothing from prohibition, else we would not be spending obscene amounts of money trying to prevent people from smoking pot in this country. It's done nothing but increase the number of people that are deemed criminals, fill up our prisons to the point where we are constantly building new ones, increase actual violent crime and theft, increase corruption of our own and foreign governments, and violate the basic human rights of millions of people.

  • What we need to do is leave people the hell alone when they aren't hurting others and get rid of a lot of the stupid laws that have been passed. If someone wants to smoke pot, let them smoke pot. If they want to smoke pot and then drive while high, then they are an imminent threat to others and should be punished. Do it again and the punishment is greater, etc. The War on Drugs has created a hell of a lot more problems than it has fixed (in fact I can't think of a single thing it's fixed in 20 years). It's become nothing but an excuse for the government to spy on us and violate our rights.

  • I am a lawyer, but this is not legal advice. If you need legal advice, contact an attorney licensed in your jurisdiction.

    Judicial review is really kind of hard to avoid. First of all, the Federalist Papers made it clear that this was understood to be how things would be done. Second, when forcing something to be doee (or not done), the action is taken in court. Judicial review of a law is in reality the court deciding wehether or not it has authority to act as one party is demanding: if there is no Constitutional authority for the law, then any court action enforcing the law would exceed the powers granted the court in the Constitution . . .

    THis becomes necessary becasue the COnstitution enshrines the Supreme COurt as the highest court. Other solutions are possible, though--instead of a Supreme COurt, we could use the Senate, a la the British House of Lords (in which it's actually a committee of Law Lords; the rest of the chamber just rubber stamps)--but that would require a different structure.

    hawk, esq.
  • How does security through obscurity NOT work?

    At the risk of feeding a troll...

    Security though obscurity does not work in much the same way as believing that you can fly by flapping your arms doesn't work. Or the same way that Trade Secrets are only protected so long as everyone keeps their mouth shut and nobody finds out how to do it on their own.

    An example: Your have your box accepting telnet on port 22 instead of 23. That's security through obscurity. If I happen across it and find telnet reponding on an odd port, that just intensifies my curiosity. What are you trying to hide by covering it with such a thin veil of protection?

    Another example: Your encrypt your sex diary by XORing with the word "sex". You don't tell anyone that you XOR it but you instead say "I've got strong security on my sex diary." Now someone like me comes along and plays around and breaks it with a lucky guess or three. What safety did your security through obscurity provide? Absolutely none.

    If you're gonna do something, do it right. That includes writing software to be free from bugs and "unplanned features". If you rely on your system to be secret enough to not warrant any stronger security measures, you deserve to be rooted.

  • Here's a footnote from the Word version availalble at http://conventions.coe.int/treaty/EN/projets/cyber crime.doc (yes I'm using windows...) :

    Several comments from industry indicated that the so-called "cracking-devices", to which Article 6 applies, may also be used legitimately to test system security. The explanatory report shall clarify that the conduct defined by Article 6, when undertaken with such legitimate purposes, would be considered to be "with right". Furthermore, the burden of proof of the unlawfulness of conduct under Article 6 would lie with the prosecution. In this context, reference should be made to the footnote under Article 2 concerning the meaning of "without right".

    That would seem to indicate that comments (from someone at least -- "industry" could mean anything from Microsoft executives to me) weren't ignored.
  • Now, I don't want to get off on a rant here,
    but this is ridiculous. First, it was letting AOLers on to Usenet. Then it was the plethora of ISP's and all the newbie net users. Remember the CDA? Submarine net patents? DMCA? I feel like I've had a run in with one million Michele Triola's, and I'm no Lee Marvin.

    I'm going to propose something radical, something elitist, something morally wrong, something curmudgeonly. But I remember the "Good Old Days". Well, they are not that old. And at 9600 baud, "Good" is a relative term. But I'll loose the bandwidth. I'll lose the web. I'll lose everything except mail, usenet, telnet, ftp, and a small smattering of other services. But I want them gone. The users. Almost all of them. Everyone who first got online after 92, maybe up to 94.

    Maybe this is flamebait. Maybe this is a troll. I don't know. I don't care. I'm seeing red. Nothing but crimson red. We had everything we needed back then. Gopher, usenet, mail, and muds. It was the holy quartet. Everyone new something about computers. You couldn't get online if you didn't. Remember typing in slip manually? How about hand timing a script to pick up as soon as PPP connected? Everybody had to do this. Sure, we couldn't email our mom's then. But I'll give that back too. To be on the net was something that only you understood. Your family didn't know or care. Hell, they couldn't think of a reason they would use it. They were right.

    Now I know what you are thinking. The net is too powerful to keep away from everyone. Its draw is irresistible. Like moths to a flame, people are drawn to information. Like Stella Liebeck to her coffee cup, the masses came to the net. And both were pissed when it was hot. Sometimes, it is better to never serve coffee in the first place. We thought community, they thought lawsuits. We though information, they thought "of the children". We though porn... Well, they thought the same thing. They cannot always be wrong, you know.

    And speaking of the children, how come I don't hear about parents complaining about all of those 8 year old drivers out there. Oh, 8 year olds cannot drive? What does this logically imply Skippy? Really? If I truly feel that the net is as dangerous as a car, I shouldn't let my kids use it just like I don't let them drive a car? Nah, that is too much. I'll just demand for laws to protect them. Lord knows I'm not going to.

    I'm not seriously proposing that we get rid of the "masses". I know it is impossible. But we should have kept it from them. Somehow. Maybe like a clue server on netrek. We could have kept all that knowledge and power to ourselves. The net would have been smaller, but we would have had so much more power because of it. Like gods among men, we could have levied our advantage to get sensible preemptive laws put into place. We knew they were coming. We should have prepared.

    In short, we had it all, we gave it away. It doesn't suck yet, but it could. And we could have prevented it. Maybe we still can, but we definitely could have by acting earlier.

    Of course, that's just my opinion. I could be wrong.

  • Your premise is that this is good because supposedly the rightful owners of hacking tools will have them. This implies that someone must determine who is granted the priveledge to use hacking tools and who is denied. The consequence is that a beaurocrat decides if you or your business can be involved in the security business. This is called a racket, and it will inevitably lead to corruption.

    This sort of treaty is asanine because every person should have the freedom to learn how things work. The mere ownership of hacking tools doesn't denote the misuse of the tool. A just society punishes individuals based on their activity and behavior with tools, not ownership. Anything else is presumption that the law always knows the best use and intent for a tool.

    This is really about freedom when you get down to it. Do you have the liberty to run Nmap on your own network, or do you have to pay $200/hour to some monkey that is endorsed by a beaurocrat? Will the the knowledge of computer security be outlawed so that a priveledged class of individuals can do what anyone else could have done themselves? I certainly hope not.

  • I donno about you folks, but as this law passes, I'll start considering changing countries. Anyone else up for moving to a less over-prosecuted land?

    My only criteria are (1) bandwidth (2) food quality/availability and (3) climate. I hear Brazil is nice...

    --

  • It is true that putting pot retailers in jail is a waste of resources. Probably counterproductive.

    On the other hand, the only thing proven to reduce crime is keeping habitual criminals in jail until they are too old for the game.

    The real answer is we need enough jails to keep all the street thugs off the streets, no more, no less. Until we fix or delete the drug war, we are unlikely to know whether this is more or less tyhan we already have.

  • <em>When your kid asks for a new bicycle (to go upstairs/fuel for his car/ etc...) give him a loaded gun instead - it's safer that way.</em>

    Being at work, I don't have the numbers on me, but more children die (individually) as a result of falling down stairs, drowning, or being hit by a car while on a bicycle each year than by negligent firearms use. Not that anyone can really be expected to know that, considering how one-sided the media can be about these issues.

    I'd feel my children to be a lot safer with a gun in the house than a pool in the back yard or stairs to fall down. Just because I managed to survive both pools and stairs to reach breeding age doesn't mean that they're inherently safer. In fact, they're much more dangerous.

    --
    It's pretty pathetic when karma can drop when you do nothing
  • Well, you see, a gun is made to kill/break/hurt something. Maybe a person, maybe a tasty animal, maybe a target, but something.

    So are clubs. So are knives. Yet you don't see the same rabid attacks against them. I maintain that they are all tools. Nothing more, nothing less.

    A club was originally designed to bash something in order to kill/break/hurt it. Do we have regulation? No. Is it easy to obtain? Damn straight, if there are trees or construction or anything of a suitable shape out there. Are they incredibly prevalent in society? Well, I see them used every time I watch a baseball game . . . Are they blamed when someone's beaten to death? No. Can they be used for good OR evil? Yes.

    Same with knives. Originally designed to cut and stab things. You can buy them in a sporting goods department. You can buy them from RonCo. You can get them in any kitchen store. They're probably more prevalent than any other object intended as a weapon. Do a quick check: how many knives are there in your house right now? Don't you think you should check this knife proliferation? Do we have to treat you with kid gloves because you might flip out and go on a stabbing spree?

    Anyway, you can't compare gun control to hacking control, or anything else, because a gun is a weapon, designed to hurt something, and other things cause damages as a side effect.

    Sure you can. I could easily use ping, traceroute, nmap, the latest DDoS scripts, etc, as weapons against your system. I could crash it, hurting either your hardware, your ISP's hardware, potentially a business' revenue. One exists in the physical realm (guns), the other in the electronic realm ("hacking" tools). They can both be used as weapons, both offensive and defensive. How they're used is the responsibility of the user. Neither has an inherent evil nor an inherent good, anymore than that thick piece of wood you're brandishing to either scare off the strangers, or coerce money from the locals with. They just exist.

    (Sorry, guns do not have a side effect of reducing crime,

    I beg to differ. Just the very act of training with a gun, knowing how to use it, knowing you don't have to be a victim reduces crime. It gives you a level of self-confidence and self-assurance in yourself and your abilities. Sure, you might not have a gun on you at the time, but predators can smell fear and intimidation. If you have that self-confidence in yourself, you become less attractive as prey.

    Plus, if you do have a gun, you don't necessarily need to use it. It's a method of last resort to have to shoot someone. Every personal protection course I've ever taken (NRA-sponsored, no less) emphasizes that the best course of action is to get away as quickly as possible. Barring that, try to find a non-violent solution (this could be as simple as shouting, or telling someone you have a gun, or showing it, but you'd better be prepared to use it at that point). Otherwise, as a last resort, use violence of whatever kind is necessary to protect yourself and/or your family.

    Personally, I plan to take every step possible to defend what's mine. That means in the physical world, having access to firearms, being trained in their use, and having the resolve to use them should that need ever arise. I don't intend to sit idly by waiting for the police to show up at some indeterminate point in the future, because of something happening right now.

    In the electronic world, it means using the same tools that likely attackers of my systems are going to use. Being familiar with how they work, what they do, and why they do it is invaluable to protecting my boxen. If I'm unable to do so, I'm just begging to be a victim, and can only attempt to put the pieces back together again after the harm has been done.

    In both cases, an ounce of prevention is worth a pound of cure.

    nor of holding back government oversteps)

    Realizing you might not necessarily be familiar with American history, I again beg to differ. There was this little spat between England and the colonies. And wouldn't you know it, those crazy gun-weilding wackos managed to revolt against an oppresive government.

    Do I think it's likely to happen today? No, there are too many sheeple, and folks who think the government has our best interests at heart instead of its own. Any /. reader should know how often the government sides with us poor citizenry.

    So yes, it's possible for guns to hold back government oversteps, and be used in constructive and defensive ways. It's also true that hacking tools can be used in a similar manner. Anyone who tells you otherwise has an agenda to advance, and certainly isn't looking out for your best interests.

    --
    It's pretty pathetic when karma can drop when you do nothing
  • you're absolutely correct, but more to the point, if a treaty would violate the Constitution, then it is unconstitutional for the president to negotiate it and for the Senate to ratify it. if either/both of those happen with an unconstitutional treaty, that is grounds for immedaite impeachment for violating the highest law of the land.
  • The next thing you now is that you need to registar yourself as a person with knowledge to hack. If you take away the right for me to see what is the problem with MY computer system and tell the world about it then I see something wrong with this picture.
  • Nurses are responsible for the medications administered, and believe me, they do not trust doctors or computers to know what the hell is going on. They check everything.

    And life support systems are generally embedded and not networked in any hackable way... the possibility is there but it's not as likely as you think.

    "Free your mind and your ass will follow"

  • Define sysadmin. I have 2 *nix boxes at home and I am the sysadmin, does that mean I'm exempt? I doubt it. Will Bugtraq be closed down and any dissemination of information about exploits be made illegal? It sure sounds like it.

    Will the Europeans decide to try once more for the Holy Land and ride into Jerusalem as liberating crusaders? Will the American government decide to finish the genocide of the native peoples? The way the governments have been acting lately I wouldn't be suprised...

    "Free your mind and your ass will follow"

  • From the news:
    ?In part because of the ingenuity of lawyers and the ingenuity of [computer criminals] to get around the laws we?ve got, the laws we?ve got aren?t sufficient,? Hyde said. ?The draft convention?.will make it much easier for people to investigate. It will have an immense impact.?

    What this JERK forgets to mention is the colossal analphabetism that runs among the police structures. The HUGE and COLOSSAL ignorance about computers and networks. Will the convention make much easier for people to investigate? ABSOLUTELY CORRECT. Because what will happen is that such law will give enforcement organisations the right to hassle computer experts and hackers. To get a cheap and easy-to-manipulate mass of technical experts that will work for these IDIOTS to avoid jail and/or other forms of persecution. This is putting all Security Experts hostage of a group of people that barely understands the technical and psychological specifics of our world of computers.

    This will not help fighting cybercrime. ABSOLUTELY. Because what first goes into HELL is cybercrime pervention. You can't study/analyse security holes. You will be dependent of a mystical/abstract support from developers to implement security measures. What you get? A Cybercrime Freeway. Now when this happens who is going to be hassled first? Criminals? How? If police, even with the most modern systems cannot manage to understand some of the most basic principles of network/computer security? You of course! They will come to you because they know that you still do "something on the side" (you don't wanna loose your admin job right?). And they will hassle you to work "for them". OF COURSE they will REMIND you that you are a SINNER. So your work will cost [$$$ - (cost to keep you out of trouble)].

    In the mean time wait for a whole trash of surveillance systems on your place. Why? Because you don't have the right anymore to do security. Well, in fact, they may leave you with that. but in a way, that practically, you have no rights at all. Because:

    You don't have any information (bye BugTraq)
    You can only rely on developers to fix bugs (we will fix it on our next release)
    You cannot develop/study your systems for security (pay and you'll get it)
    You fall into a double standard (are you fixing bugs or making security hacks? Are your development "inoccent"?)
    If anything goes wrong, call 911. (In the meantime your systems are completely bleached)

    So don't wonder if the badge guys will be knocking your door too frequently. Or even replace you...
  • I wouldn't be so general. Such documents are not a "conspiration against Mankind" but more the result of petty domestic fights between lobbyists of different fields. Lawmakers gather laws from discusssions with experts, lunches with corporative managers, talks with government officials, letters from citizens, the mass-media (yuks!) and the greys :). In result they produce something like this. Generally they barely understand what is written here. Their main task is to create something practical, juridically correct and which will not burn their next election.

    The problem here is that, probably someone managed to sniff his own stupidity into this treaty. Probably someone from the equivalent of the FBI or NSA in America. Probably he explained lawmakers how his life is a Hell because of these tools "roaming the Internet" and that "forbidding them would make life much more easy". Then a representative of a corporation like Microsoft may have told them that "these tools are the source of big losses", then an expert explained them vaguely what these tools may be used for. And, finally they decided to write this article without hearing anyone else because the quantity nd quality of experts was "enough". And consequently we got this piece of trash in the middle of a treaty that doesn't look so bad at all...
  • Cool. The cost of my services to you will then be
    $$$$ and not $$$ as before. Because I have to pass certification+ license+taxes-on-hack+pay-the-cops+pay-the-mob
  • Well if we go to the extremes then... beware your hands, your feet, or, even your head :)))))))))))))
    A great destructive method is kicking out the computer. Specially if it's turned on. Besides you think about kicking it... So don't be horrified if court decides to have you slandered in the best of medieval ways. Anyway, you're carrying illegal devices, rigth?
  • Have your read carefully this article:

    "a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5"
    [...]
    the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5

    The problem is that any security bug is potentially a break-in! So if you create a testing tool you might well giving ground to fall under the laws created through this treaty. Besides note that 2a talks about "intent ... for purpose...". This foggy term reminds some stalinist times when, by possessing "burgeois" literature you are considered already a criminal. Because you already possess a "potential weapon" for commiting a crime.

    What kind of "intent for purpose" can be understood before commit a real crime? Is the fact that I have a gun on my closet an "intent to be used for the purpose" of killing my neighbor or rob my bank?

    Does the fact that I possess nmap on my computer be equivalent to an intent for the purpose of breaking into slashdot.org? Well they don't explain the intent. But they do link intent to purpose. In courts such games are the base to give you a cold shower:

    Lawyer: Is nmap an instrument for the purpose to break into slasdot.org.

    Expert: bla-bla-bla.. Generally yes.

    Lawyer: So we have now demonstrated that Mr. Hacker possesses a weapon for the purpose to break into slashdot.org. So, CONSEQUENTLY, he had the INTENT to break into slashdot.org!

    What should be done here is to wipe this article and write everything in a new way. Specially:

    Remark the distribution of tools that specifically don't only explore a security bug but also may ease the manipulation of systems where a clear break in has been made.

    Remark that these tools can be used as evidence (and how) in courts. This is much more important as many courts drop out cases as they don't know on how to deal with such software.

    Forbid te distribution of data that may be resulted from these break-ins (by agravating penalties) or that may ease such break-ins. Specifically the words "password", access code" should be erased from here, by substituitng them into a more universal term. Something like: "data that allows access to computer system and its data, beyond the limits of the people/systems allowed to access it." This would include such things like spoofing, packet hijacking and others.

    Mark more clearly the limits of using security tools for analysis/test/development and the criminal acts.
  • :))))))))))))))))))))))))
    Was not encryption equalized to "Ammunitions" by the Department of Commerce? Dear fellow Americans, weren't you crying all this time that this is incorrect?

    Ok, people NOW RUN to the D.C. and CONFIRM: "YEAH IT'S AMMUNITIONS, NO, IT'S GUNS, NO, IT'S COOOLER THAN NUKES!!!!

    In the meantime sneak a draft to them about considering security tools also as High-Grade Weapons. And stamp all this with the Right To Bear Arms.

    Btw don't forget that the suggestion came from Russia. As always, we have been good partners on what considers this stuff. And don't worry about us not being able to get your weapons. We will always find a way to exchange them :)
  • Make the penalties so ridiculous that the law becomes unenforcable.

    Anyone in possession of a compiler should serve a mandatory twenty years in prison.

    NO excuses. And when something breaks, we don't fix it...
  • Law enforcement is feeling overwhelmed
    Law enforcement is also pretty well clueless. The simple minds law enforcement mostly appeal to are content with running after robbers (to feel like heroes), shoot fleeing suspects (to dispose of superfluous testosterone), run from one restaurant take-out counter to another (to compensate for not being loved) or simply stake out a speed-trap (to get a feeling of accomplishment). When you move to the realm of financial fraud, you can start to see the law-enforcement system being strained (it has trouble dealing with abstractions), and when you outright move into computers (the ultimate abstraction level), they simply lose it altogether.

    In a previous job, we've dealt with detectives from a *BIG* law-enforcement agency, and they've done pretty clueless things in an investigation of a computer-based scam (we've saved the show for them) to whom we had originally sold the computers and LANs they used to do their scam. The problem is that they take policemen and try to turn them into hackers. The reverse should be done: you take competent computer types and make them into policemen.

    Becoming a policeman is easy, as it is routinely done for the simple minded, so it should prove a cinch for computer geeks... (Plus, imagine the revenge you'd get with the martial-arts training on all those who picked on you - as of myself, I was so much geek that it was the other geeks who were bullying me)

    I am taking a management class right now, and the moonlighting teacher normally works for the same *BIG* law-enforcement agency as above. Well, he has setup a web-BBS& lt;/a> for discussing course issues, and whenever some dope does an anonymous posting to criticize the course he goes apeshit, and shuts down access to the whole of the AC's class-C subnet!!!! He does not seems familiar with the concept of a USER-ID/password, and I have shown him /. whose principle he hasen't started to fathom. As a result most students are penalized, since this backwoods place ain't got much ISPs... [planetess.com]

    --
    Americans are bred for stupidity.

  • Vote Libertarian.

    They don't think the federal government has any Constitutional authority to make laws regarding this issue.

    -
  • Well, this is a treaty, not a law. And the Constitution doesn't limit treaties as strongly as it limits laws.

    It does, however, restrict treaties to compliance with the Constitution. We had this argument a couple of months ago, I was on your side, and we lost.

    -
  • ...I would remind you all of Mark Summerfield's "Letter from 2020" [osopinion.com] over at OsOpinion [osopinion.com].
    Dear Me,


    I'm not sure if reading this letter is illegal. I thought it only fair to warn you; it might be better to just destroy it. [...]


    Jay (=
  • I think you've misinterpreted the Constitution. Article VI is actually used to *avoid* passing unconstitutional laws by simply signing treaties. Because a treaty is made part of the "law of the land," it is also subject to Constitutional constraints on what can be part of the law of the land. The First Amendment is one such Constitutional requirement that this treaty would not be reconcilable with.

    Every law that Congress passes is part of the "law of the land," but that doesn't stop the Supreme Court from being the final arbitrator of what is Constitutionally permissable.
  • Our freedoms are related in weird ways:
    "It's like arms control," said a German-based hacker, who requested anonymity. "Saying you can't walk around with a loaded gun produces safety. You can compare an exploit to a fully-loaded weapon. Making exploits illegal could decrease the number of hacked boxes."
    Just a note. The best statistical analysis analysis [uchicago.edu] we have in the US about "walking around with loaded weapons", reveals that concealed carry is a large benefit to society, and saves lives.

    The gun laws in places like Washington DC only disarm the law abiding (aka, "victims"). Meanwhile, the politicians who make these laws have dedicated policemen to guard their workplaces and sometimes even persons. Armed policemen, of course.

    If victim disarmament laws really worked, then the police should be disarmed just like anyone else. But of course, they don't, and nobody is so foolish as to advocate disarming the police when the criminals are pulling down billions in their highly regulated economic sphere.

    The analogy maps perfectly to computer security. Take away legal possession of hacking tools, and sure enough no reputable people will have them. But the crackers still will, of course, and there will be a brave new world of ignorant sys admins with no ability to defend their systems.

  • Comment removed based on user account deletion
  • Comment removed based on user account deletion
  • Comment removed based on user account deletion
  • Well, this is a treaty, not a law. And the Constitution doesn't limit treaties as strongly as it limits laws.

    --
  • How about Gary Kleck? He was an anti-gun university professor who got in on the research because he wanted to back up his position. The facts changed his mind.

    Compare the US to Europe. Our homicide rate may be higher, the democide rate of Europe for the past century is MUCH higher. How many centuries will it take for our murder victims to equal the 12 million or so that were snuffed out in europe about 50 some odd years ago?

    LK
  • The really controversial bit is the section on "tools", right? Well, it says after that:

    with intent that it be used for the purpose of committing the offences established in Articles 2 - 5

    So, they have to prove that you are going to use the tools to break into computer systems to which you do not have "right", i.e. which aren't yours.

    This doesn't outlaw white-hat stuff at all, because you can do white-hat stuff against your own boxes. Is anyone here going to stand up and say that we should all have the right to text exploits on other people's machines?

    In the same way, BugTraq will be perfectly safe unless people stop putting a disclaimer at the bottom which says "educational purposes only."

    Gerv
  • When hacking is outlawed only outlaws will be hackers.

    This is such a patently bad idea. Okay, so we eliminate all public hacking discourse and we prevent law abiding citizens from being able to use and develop hacking tools. The results would be the following:

    1) criminal hackers will use encryption and numerous other methodologies to conceal their trade in and development of hacking tools.

    2) corporate security managers will be unable to test the security of their own systems.

    3) home computer users will be unable to test the security of their own systems.

    4) bugs found in common systems will be left unannounced and will be openly exploited by the people mention in point #1 above

    I mean can there possibly be a greater recipe for disaster on the Internet? *sigh* You can pull my copy of nmap out of the clutches of my cold dead hand!

    ---

  • Hmmm, I thought I responded to this earlier... maybe I just previewed?

    Anyhow, I believe that the Notepad in question is the one with Windows 3.1. Because of this ability of simple tools to perform "hacking", Microsoft in later years made Notepad acts as you described, and have also blocked Wordpad from loading files ending in .EXE. (Easily dodged with the obvious dodge.)

    (It is also remotely possible I did it with the 6.1 MS-DOS edit.com utility, which probably also won't work that way anymore. Either way, it's Notepad.exe and edit.com that have changed.)

  • America today has more incarcerated citizens per capita that Stalinist Russia did. (Not counting those executed outright by the state.)

    This is incredibly bogus. How many people, per capita, were murdered by the state in the USSR (not Russia) under Stalin? How many were not incarcerated but sent into internal exile? Put down your crack pipe and compare those numbers to the US today.
  • Thanks.. that was easy enough. :) My letter is on the way.
  • Isn't that less effective than seperate letters? I would think so.. seeing 10 letters instead of 1 letter with 10 signatures on it.
  • Until the US decides to hop on and sign this treaty.. did you read the article?
  • Yes.. laws against 'hacking' should be made. Penalties for 'computer tresspassing' are all it should amount to.

    As for exploits being published? As a seriuos sysadmin, I *DEMAND* access to this information, as I've always had.

    Now.. if they want to make these things *potentially* illegal, you know, like how a crowbar can be a 'break & enter device' if you are caught breaking and entering with it.. that may be acceptable. But mere posession of information? Good luck.
  • They 'can't' because it's STUPID.

    WE license physicians because, as a society, we don't want people DYING because they were duped into using a non-approved physician. we do it to obtain some sort of level of awareness about skills, when LIVES are at stake.

    Lawyers too. Engineers. All for the same reasons (lawyers may not protect your life physically, but they protect your freedom to do things)

    We do not license McDonald's workers, farm workers, or grass cutters. I do not see any need to license 'network administrators'. Why should we?

  • I think she's overstating the fact. Perhaps because she also does not like the law...

    Aiding and Abetting, though IANAL, probably must be MUCH closer tied to the actual crime. THe fact that your brand of crowbar was used to break into a building does NOT make you criminal. Neither does the fact that techniques in your book on weapons practice were used to kill someone.

    Now, if someone came and said 'I"m breaking into that house over there. Can you recommend a good crowbar?' and you sold him your top of the line crowbar.. you are 'aiding and abetting'.

    Same for hackers I suppose. Remember this....
    One can only be 'aiding and abetting' if a crime happens!
    THe reason for these contributory laws are to discourage the crime more effectively. ie: today, they can only charge the person who actually did the hacking (if that). The person who paid him and is standing next to him probably can't be charged. Under this law, he could (as he could with any other crime)>

    Kind of makes sense.
  • Yes, it does. Bugtraq is in no way aiding and abetting a criminal act.
    Just as the crowbar salesman does not ask you what you are doing with the crowbar, neither does bugtraq ask you waht you are doing with the information.
    Anyone who tried to say bugtraq was knowingly aiding hackers would get shot down terribly.

    Certainly, the possibility for someone to interpret it as a violation is there.. but it wouldn't fly.
  • Hold on. I'm not talking about some company 'certifying' someone on their products; that's fine and dandy: the people who know the product the best (those that make it) are stating who is and is not certified by them to have a certain level of knowledge about the product.

    This is VERY different than professional certifications for things like engineering and medicine and law. Those are not tied to a 'product' or a company.

  • I think the prevelence of these people trying to break in HELPS software in general in making security a high consideration in design.

    Laws like this might make security worse by giving the non technical the impression that the law will protect them from someone in a foreign land thats trying to break in...

    Your not going to stop these people ever unless you make security a high priority.

    The question is how do you fairly prosecute the really mallicious ones while letting those just poking around off. How are damages calculated? The Mitnick case set a very bad precident in this deptartment with ridiculously high losses sited in court but not to shareholders or the Securities and Exchange Commision (SEC).

  • But if a safe cracker gets his own safe and figures out the internals himself, hiding the diagram would be a useless gesture. The only solution is to design the safe in a way that even when it is obvious how it works, it would still be impossible or impractically difficult to open. Computer security is even riskier since the very difficult tasks can be reduced to a stupid little script (hence script kiddies), so therefore computer security needs to be in the "impossible" category.

    Only the system itself can tell you that its secure, and not the back of the box, and the only way to find out is to take it apart.
  • Agreed, lots. Me, I'm worried more about the ramifications. What can I legally *do* by way of a job? I'm a linux consultant/sysadmin; I rely on nmap on a daily basis if only to *test* my scripts. I'm not going to give up and spew code for Lotus Bloats just because some government chooses to outlaw legitimate activity.

    The law is doing what it does to the best of its ability: making the world criminals and itself look like an ass.
    ~Tim
    --
    .|` Clouds cross the black moonlight,
  • This is not without precident. As I understand it, there are a good many lockpicking devices that you have to be a registered locksmith to get.
  • Oh, puhh-lease!!!
    The point is, if you read the MSNBC article is that some consider it as a 21st century witch-hunt. This treaty reminds me of the silliness of persecuting those who use unconventional methods, sometimes at the risk of their lives. Witch-hunting and inquisition were used to keep the masses ignorant and prevent those free-thinkers from disturbing the status quo.
    Plus, Halloween is in 5 days, and this story is most definitely scary.
    Offtopic my ass. I'm beginning to understand how Signal 11 felt. Yeah and fuck karma too. I don't need some pathetic counter to tell me if I'm good or bad.

    ---
    Vote Inanimate Carbon Rod in 2000
  • if a treaty would violate the Constitution, then it is unconstitutional for the president to negotiate it and for the Senate to ratify it. if either/both of those happen with an unconstitutional treaty, that is grounds for immedaite impeachment for violating the highest law of the land.

    Except that impeachment dosn't actually appear to do much. Rather less of a disincentive than "High Treason", for which the traditional punishment is execution.
  • Dunno, plain text and extrans used to work, until one day, a long time ago, they suddenly switched names... and thus began the reign of the confused slashdot community. People who were troubled by the tags started posting about young teenage girls, breakfast foods, and prehistoric man chatter. They gained followers, recruited friends, and soon the dominion was overrun with pre-pubescent males trying to gain esteem among their peers. Gone was the Age of Wisdom, the Age of Legends... There are no beginnings or ending to Slashdot. What is, what was, and what shall be may yet... oh wait... been reading too much Wheel of Time...
    --
  • Yea I know what you mean. I cannot stand legislatoin like this!

    Here are a couple of loop holes here...

    What about MS DOS debug program. This falls under the guise of hacking, but is distributed with almost every OS MS has produced!

    Whate about nmap? The article discusses this. The councel says there will be exemptions... From the article, " The Council of Europe has promised to provide a list of exceptions to the treaty, and professional network administrators will likely end up exempt"

    First of all what software will be exempt? I've used a DDoS tool for fluding my own network to see if my machines would choke! (BTW it was fun seeing win 9x croke but linux just slow down a little) This tool was designed for DDoS but I have a completely legit use for it.

    The other part "...network administrators will likely end up exempt." This really pisses me off!!! I'm a C++ developer not a net admin. But I can do a better job of net. admin. thay anybody in my co's IT dept. Would I end up exempt? Who knows, I'll probably get prosecuted for haveing a copy of nmap!

    This is just bogus crap! What lawmakers do not understand they prosecute. If it looks like it breaks a law and they don't understand it, prosecute it!

  • That just isnt good enough. Unless its in the treaty theres bugger all chance of the explanatory report being reflected in law. My response to the coe (which I copied on to /.) asks that they include in the wording of article 6 that intent to commit offense must be proved.

    There is also the thorny issue of article 11 - which as written makes it illegal to submit patches to security software, if you did not realise that the intent of the author was black hat ('cos if they are later prosecuted you are in the shit for aiding and abetting). D'oh!

    Thirdly, there equally profound implications later in the document. Whilst posession of kiddie porn is evil, the provisions of article 9 make it illegal to *cache* transmissions including kiddie porn. They also make it illegal for companies to collect surfed material in order to provide proof for a tribunal or prosecution that the employee surfed kiddie porn. They make it impossible to develop tools that would be capable of classifying images as kiddie porn.
  • Just like bugtraq would be considered illigal by such a law, wouldn't any other item that provides a means or an easier route for 'hackers' to enter a system be considered illigal as well? For instance, would it be illigal to have an unpatched/unrepaired binary that had a security hole? Such a thing would provide a way for a 'hacker' to gain another portal for attack. What about something like telnet - it's easily sniffed, since it's an insecure connection. Just some things to think about...

    -------
    CAIMLAS

  • Even worse:
    • Article 6 - Illegal Devices

      Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right:

      • a) the production, sale, procurement for use, import, distribution or otherwise making available of: 1. a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5;
      • 2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed

      with intent that it be used for the purpose of committing the offences established in Articles 2 - 5;

      b) the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5. A party may require by law that a number of such items be possessed before criminal liability attaches.

    The last line of section A (intended use) might cover white hats, but perhaps not. It seems like that could be interpreted in serveral ways.
    --
  • I think the treaty is for something more along the lines of using a screwdriver to pry open someone else's covering.

    They want to outlaw tools that are produced/distributed with the intent to commit a crime.

    Which means that if some guy on the street is shouting "come get a fancy coat hanger! It's great for opening car doors!", that might be illegal under this treaty. But if someone else is advertising coat hangers for use on coats, then that person's act of selling hangers wouldn't be illegal.

    Or something dumb like that.
    --

  • For every field where offenses and defenses exist, there will be an arms race were each side temporarily gains the upper hand.

    The speed of the arms race must be controlled.

    • If the arms race goes too fast, the result is anarchy. The faster the arms race, the higher the defense overhead for the common productive citizen becomes because they have to keep upgrading to the latest defense. The lower the defense overhead is, the smaller a business can be and still survive, which results in a greater diversity of goods and services.
    • If the arms race goes too slow, the result is tyranny by the government. To slow the arms race, the government must control the tools and people involved in the arms race. However, there will still be organized criminals who have the resources and stealth to advance the offenses. So the government is required to advance the defenses. This makes them invulnerable to overthrow by the people, which gives them ultimate control.
    • If the arms race goes at a medium pace, then it's the best situation for the common citizen. They have a moderate defensive overhead, yet are still able to overthrow the government if a majority of them organize their resources.

    --
  • playing devil's advocate...

    Yeah, but should it be legal to leave a rocket launcher laying out in public view? Someone could walk by, pick it up, aim it at someone, and pull the trigger on an emotional whim.

    Should it be legal to have software that's as easy to use?

    Perhaps BUGTRAQ type exploits aren't quite as close to this, but what if there was a program that when run, would bring up a list of hospitals... the user selects a hospital and hits the "Okay" button... the software then uses its preprogrammed automation to find the power source for the hospital, hack into the power station, and turn the power off. Should such software be allowed to publicly propagate?
    --

  • by Anonymous Coward on Wednesday October 25, 2000 @04:25AM (#677674)
    As a Security professional, I have to strongly disagree with this proposal. If you take away the right for administrators to possess the tools required to test their systems for vulnerability, you criple The Good Guys. The Black Hats will still have the exploits and the only way we'll find out if we're vulnerable is to wait to get cracked!

    Further, remember that Full Disclosure lists like BugTraq keep vendors honest. These lists force vendors not only to admit their bugs, but also pressures them to release fixes quickly and not sweep problems under the rug.

    - Jay Beale, Lead Developer, Bastille Linux

  • by Anonymous Coward on Wednesday October 25, 2000 @05:41AM (#677675)
    The "War on Drugs" has blessed us with
    • Crime
    • Violence
    • The most dangerous black market ever known to mankind
    • Taxes, so they can buy more guns and hire more thugs to enforce their laws, and to keep innocent prisoners in jail, even those who have never sold a dime of weed in their life

    Nevermind that the "War on Drugs" is the most blatent constitutional violation that ever existed. What I put into my own body is my own goddamn choice, thank you.

    And you thought you lived in a free country.

    Please, vote Libertarian [lp.org] and put an end to this madness.

  • by Ektanoor ( 9949 ) on Wednesday October 25, 2000 @06:02AM (#677676) Journal
    You know why Windows can't keep the pace of Unix?
    Because it has more bugs? No. Because it is closed source? Noooooo. Because Microsoft owns it? Of course not.

    Because Unix is much more manageable than Windows. That is what it makes Unix more secure. Even Linux has some ENORMOUS bugs on what concerns security. But here the reaction time is tremendously more faster than Windows. Even in times when Solaris was purely closed source, people managed to react more rapidly to any security threat.

    Windows possesses a dumb interface that pretends to be "complete". However tons of backdoors/bugs are concealed inside this interface. You can't reach them in most cases because Windows interface is too restricted to allow control of many inner systems. So if one breaks in you can only face the fact.

    Sincerly I was admired for a situation I fell in. When Windows ruled here, 1/3 of our Internet population played only one thing: "Hack Windows!" Because many found a series of backdoors and we couldn't do anything against that. Now, on Linux there was a HOLE that remained for approximately 6 monthes. You know? No one ever noted it. Why this? Because in the first month of Linux Era people got real hassled, as we reacted momentarly to any break. In the end, only 2-3 people out of 700 "crackers" remained. Btw ee don't touch them as we are afraid of the full extinction of this species... :)

    Now most of this work is made 80% on the basis of analysis/studies/implementations of security systems. And this includes scanning & testing break-ins. Only a 5% are real "healing after the fire". If this law comes up, all this goes into the trashcan...
  • by Jerf ( 17166 ) on Wednesday October 25, 2000 @04:09AM (#677677) Journal
    There's no such thing as a "hacking tool"... unless you count all computers as hacking tools. With time, patience, and skill, a hack can be performed in Notepad. (Done it... nothing significant, mind you, I'm not bragging, I'm just saying it can be done. Somehow the first byte of an MS-DOS executable got corrupted and I changed it back to "M" (as all MS-DOS exes start with the magic number "MZ" in ASCII).) To me, that's the real problem; the line is so fuzzy about what a "hacking tool" is, and there's no way to "de-fuzz" that line. This law stems from nothing but fear, and knee-jerf reactions to legislative fear tend to only make things worse.
  • by Stonehand ( 71085 ) on Wednesday October 25, 2000 @04:33AM (#677678) Homepage
    It's what people clamor for -- safety.

    My suspicion is that any politician who clearly states that the state cannot usually protect you -- there are always people who will not be deterred -- but can often only help clean up the mess afterwards, is going to lose a LOT of votes.

    Never mind that, if memory serves, courts have ruled that you are not entitled to the expectation of comprehensive police protection; you cannot sue the police for failing to proactively protect you.

    After alleged Crisis X, the question posed by reporters / worrying parents / etc is usually something like, "What will you do to make sure that Crisis X never happens again?". The clause "...while preserving our individual rights" generally doesn't come into play. We've seen it again and again -- after Columbine, the OK City bombing, and so forth.
  • by discore ( 80674 ) on Wednesday October 25, 2000 @04:00AM (#677679) Homepage

    You can compare an exploit to a fully-loaded weapon.

    No you can not. A loaded gun will kill someone. Death, ends existance, heart discontinues to function. An exploit is used by script kiddies to change a webpage, piss off an admin.

    This article pisses me off, it supports security through obscurity and that idea is horrible. Ugh. If I continue ranting anymore this will be -1 flamebait.

  • by dzimmerm ( 131384 ) on Wednesday October 25, 2000 @06:51AM (#677680) Homepage Journal

    I came up with the statement listed below. Let me know what you think.

    Sirs and Ladies,

    I have read much of your proposal and found that while it takes into account many things that should be done to aid in the arrest of parties engaged in illegal access and destruction of computer data, it does not mention or protect the need for corporations and individuals to attempt to access data on their own computer systems so as to determine their systems vulnerability to attack.

    There is concern that normal security checking software and knowledge of common or popular systems used to defeat security would be made illegal by the provisions of your treaty. I and many others feel that only with thorough knowledge of the weaknesses and strengths of any computer or system of computers, can those computers or systems of computers be made more secure. If provisions of your treaty make the use of security checking software legally questionable then only those with illegal intent will use such software.

    I ask that you make provisions within your treaty for the use of security checking software by individuals and corporations. I would ask that you make clear that it is the intent to do damage or cause harm that is illegal, not the means by which that harm is caused.

    Sincerely,

    David P. Zimmerman Bachelor Of Electronics Engineering Technology

  • by kfg ( 145172 ) on Wednesday October 25, 2000 @04:59AM (#677681)
    Dear Sir,

    As the officer in charge of enforcing the new anti-hacking laws it is my duty to inform you that you are in violation of the law. No action will be taken at this time as we are trying to be nice and allow people an adjustment period. This note is part of that adjustment process. In the future you will have no warning.

    To wit: you have been observed walking around your house seeking open windows and doors. Such activity can now only be legally done by a trained and licenced professional. Seeking possible illicit entry points into an abode is an obviously nefarious activity and will be prosecuted vigorously.

    It has also come to our atttention that you possess not one, but several criminal devices known to the criminal world as "keys." Such devices whose only function is to circumvent high security mechanisms are blatently evidence of criminal intent and their possession * will not be tolerated.*

    In the future you may call upon you local licenced security professional for dealing with such devices. Simply show your security access papers and proof of ownership of the security device and the dwelling to which they are attached, provide said security professional with fingerprints, and for a nominal fee he will " unlock" your security device.

    Please be warned that we will be making followup calls on all persons employing such security professionals to make sure that everything remains on the up and up.

    We appreciate your cooperation in these matters, but we're building a lot more jails just in case.

    You have been warned.
  • by Pinball Wizard ( 161942 ) on Wednesday October 25, 2000 @08:28AM (#677682) Homepage Journal
    Its actually worse than you think. As of June 1999 there were 1,860,520 adults in prison, or one out of every 147 people ~.68%. We have the largest prison population in the world, both in terms of percentage of the population and sheer numbers. Here is my source [go.com].

    I'd like to think that racism has gone away in this day in age, but considering that fully 11 percent of black males in their 20s and early 30s are incarcerated, its easy to see that it hasn't.

    Not to mention that our prisons are so bad a popular movie like Office Space can refer to them as "pound me up the ass" prisons - and no one questions the joke.

    The war on drugs has turned this country from a country I was proud to be a citizen of to the most opressive, human-rights-violating nation in the world.

    I watch the sea.
    I saw it on TV.

  • by SquadBoy ( 167263 ) on Wednesday October 25, 2000 @04:25AM (#677683) Homepage Journal
    They may make cracking illigal but they can't prohibit us from discussing computer security or posting exploits. You are working off of the assumption that when it comes to computers and computer security that these people are rational and really feel that the first applies. The simple fact is that they don't and the bad laws based off of their idea that computers are "different" are being upheld or at least not shot down yet. Think DMCA. They will erode as many rights as we let them which is way we need to be aware of things like this and *not* just take the attitude that it can't be done because it is silly on the face of it. If we don't fight it it can and will be done.
  • by kortnie ( 168996 ) <cdietzmann@gmail.com> on Wednesday October 25, 2000 @06:07AM (#677684)
    Hacking could be as simple as getting into hotmail from school, despite the smart filter. First of all, I don't think that schools should be allowed to filter out these... I like to send my links to my mail account so I can save money and print them out later. If I can't send them, how am I going to be able to remeber where they are?
  • by Veteran ( 203989 ) on Wednesday October 25, 2000 @08:04AM (#677685)
    I think that everybody is missing the number one hacking tool which would become illegal: compilers.

    I am not exaggerating - think like a lawyer - compilers are the number one hacking tool. (And yes Mr. Pedant I know that it is possible to hack with an assembler. I am using 'compiler' in this context to mean any tool which allows a person to program a computer: compilers, assemblers, interpreters etc.) These would all be illegal under the terms of these laws. While licensed professionals i.e. Microsoft employees etc. might be allowed to use these tools under supervision - common folk such as us would be prohibited from even owning them. As a side effect, this will destroy Linux and BSD - what are those without gcc?

    Wolfram and Hart style lawyer argument: "After all we license people to drive cars, why not require a license to program a computer."

    The hour is growing very late - under the guise of 'protecting the Internet from hackers' governments are about to make it illegal to do anything of value for humanity with free software. When is everybody going to wake up?

    Who do you want to control technology: people who understand it, or people who fear it and want to destroy it? We are badly outgunned, and most of us don't even realize we are in a fight for our lives.

    We either draw a line in the sand and say NO or we stand to lose everything. It will soon become apparent (to everyone with an IQ above that of a pet turtle) that I have been right about the legal system all along. These people know exactly what they are doing. This is not a mistake, a misunderstanding, or anything else innocent; these laws are deliberate, well thought out and intentionally malicious.

    --

    The law, 100's of millions of lines of code, not one line of which has ever been tested to see if it works.

  • by evanbd ( 210358 ) on Wednesday October 25, 2000 @03:57AM (#677686)
    then only criminals will know about the exploits.
  • by MWoody ( 222806 ) on Wednesday October 25, 2000 @08:05AM (#677687)
    Of course, the knee-jerk reaction is to claim this treaty is unconstitutional by the First Amendment.

    But really, couldn't this fall under the right to bear arms? There are many analogies between hacking and firearms, after all, most notably the same tools being involved in both the crime itself and the protection against it.

    Is anyone else a little scared at the possibility of 2600 magazine and the NRA agreeing on an issue?
    ---
  • by Auckerman ( 223266 ) on Wednesday October 25, 2000 @04:15AM (#677688)
    Since our law makers and their corporate sponsers are inept, this will do NOTHING. They go after FTP, HTTP, and IRC to battle piracy when Hotline has kiddie porn. They go after Napster, when Gnutella and Scour do the same thing and more. If they can't read about it in 10 minutes, they don't know it exists. Does anyone actually beleive that making the ownership and distributation of hacking tools illegal will stop people from breaking into your computer? The fact that they can go to prison certainly didn't stop them. What makes anyone think adding more stuff to the list will stop them?

    Oh well, as soon as some Russian kid breaks in to a corporate site and steals every CC there....errr..

    shrug

  • by Cap'n enigma ( 239593 ) on Wednesday October 25, 2000 @06:07AM (#677689)
    The real issue is control. The internet has weakened the ability of governments, business and media to control what we think, what information we have access to, who we can talk to, etc. The internet has empowered people to a degree never before possible to speak out freely, access the store of human knowledge and share knowledge, ideas and opinions. So, under the pretense of protecting us from cyber criminals, child pornographers and terrorists, they pass these laws. But, the real reason is so that government can regain control of what we say and who we say it to, business gain regain control of the store of human knowledge so it can only be accessed by paying a toll fee and so that the media can regain control of what we think and feel by limiting us to the ideas and opinions that they want to feed us.

    The question is what are we going to do about it? Are we going to let this happen? Is this period of real freedom going to sustain, or, like democracy in ancient Greece, just shine brightly for a brief moment and then die out to be (hopefully)reborn in another millenia?

  • by wackysootroom ( 243310 ) on Wednesday October 25, 2000 @06:16AM (#677690) Homepage
    If Bugtraq is made illegal, the vendors wont have to release patches everytime someone finds a bug, and the general public (Including a lot of sysadmins) wont even know the bug is there. That sure would make the alot of software look better, more secure, and more reliable. ECommerce would bustle with the promise of "better, bug free software", and polititians would be there to take the credit. This of course would all be an illusion, and the consumer would suffer. On a personal note, If I had to sit around and wait for patches from my vendor without a forum like bugtraq, my server would be about as secure as a balsa wood shack with cheesecloth for a door.
  • ... pry it out of my cold, dead hands. No, wait, that's my guns, but the principle is the same.

    It's very disheartening to read about the cluelessness of these idiots. "Hacking" serves a very useful purpose in the computer world, and from skimming the MSNBC article, it's clear the lawmakers either don't know, or don't care, how horrible this treaty is.

    Being in a network security class right now, I can definitely say that, were it not for hacking, in the original sense, very few networks out there would be secure. Reverse engineering protocols, examining the "oh shit"s in them, and publishing the results seem to be the only way to bring to light problems, and hopefully get them fixed. (I'm thinking s/key, securid, Firewall-1, etc here specifically, and know there are others.)

    If it suddenly becomes illegal to post new vulnerabilities to mailing lists like BugTraq, if it suddenly becomes illegal to write or possess or use tools like nmap, or SATAN, or even traceroute and ping, will just serve to immediately make criminals out of a large percentage of the computer-literate population.

    And let's face it, like any other such law which tries to "protect" law-abiding citizens by making something which can be used for both good and ill illegal, the end result is either creating more victims (in this case, because people won't know about the latest exploits, and be able to lock down their boxes), or creating more criminals (since I doubt, regardless of law, whether or not most people who use these tools, for good or ill, will stop using them).

    Not to mention those engaged in illegal cracking activities now have no more incentive than they did before to stop.

    I agree that the "massive wave of cybercrime" is likely nothing more than a bunch of script kiddies using well-known exploits to attack web sites and servers that, in all honesty, really should have been secured in the first place. Somehow, this all seems like the electronic equivalent of Columbine, where, because a certain type of tool was used to commit an illegal act, there are now more calls from talking heads and people with their own agendas to advance spouting off how evil these tools are, and how we have to protect the public.

    Well, here's a news flash... The tools themselves have no inherent evil. It's only the use the individual users put the tools to that can be judged to be "good" or "evil". A hammer, a kitchen knife, a copy of gdb, or perl...they're all just tools. They sit there until someone takes it upon themselves to use said tools for a particular purpose. Just because someone used a kitchen knife to stab a person to death, or a copy of nmap to discover an idiot left the r* services on, is no reason everyone should be banned from owning kitchen knives or nmap, on the off-chance they themselves will be either perpetrator or victim in the future.

    There is some hope, however. If this Draft Cybercrime Treaty is approved, I can only hope it will hasten the acceptance of other tools, such as the remailer networks, onion routing, freenet, etc. Yeah, we'll all probably technically be criminals at that point, but maybe then at least we'll be able to keep out both the script kiddies and the lawmakers, and get on with our lives, knowing at least we will be secure, while the rest of the (digital) world collapses under its own folly.

    (can anyone tell me why I need to select "plain old text" to get html tags to work?!)


    --
    It's pretty pathetic when karma can drop when you do nothing
  • by account_deleted ( 4530225 ) on Wednesday October 25, 2000 @04:46AM (#677692)
    Comment removed based on user account deletion
  • by BilldaCat ( 19181 ) on Wednesday October 25, 2000 @04:01AM (#677693) Homepage
    Oh yeah, it was "NORIGHTS"

    It astounds me to watch on a daily basis the right of free speech being taken away.

    And of course, all we're going to do is sit and whine about it on Slashdot. I, for one, haven't gotten out and done anything about it, and I would venture to say 99% of the people here haven't either.

    And the people passing these laws know this, and we're gonna get screwed.
  • by Bazzargh ( 39195 ) on Wednesday October 25, 2000 @07:17AM (#677694)
    I can't believe someone rated that a troll. It is a good idea to comment on this treaty. Ok, so I've now done so. So shoot me down for proposing changes instead of asking that it be scrapped....

    Sirs:
    the current draft of the cybercrime treaty is, as you must be well aware by now, greatly objectionable to computer security practitioners. I am writing to suggest a small number of changes which would make the treaty as drafted less objectionable.

    I would suggest that Article 6 - 1 be changed to read:

    a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5 [with the intent to cause such an offence];

    (The last bracketed text is new). This is the only identified offence in the treaty where the prosecution is not required to prove intent, yet it is clearly not the intent of researchers, computer security professionals, and hobbyist computer security experts (such as the author of 'nmap'[1]) to cause such offence.

    The inclusion of an exemption where intent does not exist would also enable the contribution of 'patches'[2] to existing 'open source'[3] security software under article 11(b), which would also become illegal under the terms of the draft treaty.

    Article 9(b) and (c), as currently drafted, would explicitly prevent the development of software intended to monitor or prevent access to material banned under article 9. Specifically software programs, currently available, intended for use by corporations collecting evidence against employees accessing such material to back up a case for an industrial tribunal, would become illegal[4]. Similarly it would become impossible to develop software that attempts content blocking by image recognition, as use of a 'training' image database would become illegal[5]. Finally, it would make illegal the practice of 'cacheing'[6] internet traffic for performance reasons, in that passively storing temporary copies of such material would also become illegal. Such action would have an immediate deleterious effect on the performance of the internet.

    With the exception of cacheing (which deserves specific exemption) it would not be onerous for software developers or corporations to register for exemption under article 9 with national regulatory bodies, such as currently happens in the UK under the Data Protection Act (1998)[7]. Such provision in the treaty would make it possible to produce software intended to help enforce the treaty, without which enforcement will be difficult if not impossible.

    Yours,
    [Name witheld from Slashdot]
    The opinions in this message do not necessarily accurately
    reflect those of my employer.

    [1] http://www.insecure.org/nmap/
    [2] http://earthspace.net/jargon/jargon_31.html#TAG133 5
    [3] http://www.opensource.org/osd.html
    [4] for example, http://www.websense.com/internet-filtering.cfm
    [5] eg, using work described in http://inst.augie.edu/~swets/ACCV95.html
    [6] http://webopedia.internet.com/Hardware/Data_Storag e/Caches/cache.html
    [7] http://www.hmso.gov.uk/acts/acts1998/19980029.htm
  • by bwt ( 68845 ) on Wednesday October 25, 2000 @04:56AM (#677695)
    I sent the following letter to my representative. You can email your representative easily by going here [house.gov]
    ____________________
    To the Honorable Lamar S. Smith:

    I am a database consultant in your district. I work at the Air Force Recruiting Service Headquarters at Randolph Air Force Base. My work there brings me in contact with technology and information system security issues on a daily basis.

    I recently read an article about the Council of Europe's Draft Cybercrime treaty that frankly scared me. The article is available at this URL:
    http://www.msnbc.com/news/480734.asp#BODY

    Let me be clear: this treaty would be a disaster that would threaten national security and the health of electronic commerce. The idea of the treaty is dead wrong. "Full disclosure" of computer security flaws is essential for system administrators to protect there own systems and it is also critical to eliminate denial on the part of software vendors and to track the effectiveness of responding to security concerns. It is also a First Amendment right to have open discussion on security flaws.

    I believe that the U.S. delegation to this treaty is incompetent and should be recalled before serious damage is done. They obviously have little understanding of what it is that they are regulating.
  • I, for one, haven't gotten out and done anything about it, and I would venture to say 99% of the people here haven't either.

    I have gone and done something about it. I wrote a letter and sent it to both my Senators. You can as well. I've put the letter up for download here. [ncsu.edu] Sorry about it being a word doc, but I wrote it at work and our network admin is a M$ nut.

    Just download it, make a few changes, sign it, and send it to your senators. You can find their addresses here. [senate.gov]

    No more excuses. Print it out and send it in today.

    Trains stop at a train station. Buses stop at a bus station.

  • by guran ( 98325 ) on Wednesday October 25, 2000 @04:12AM (#677697)
    Meet the new way: "Seurity through ignorance"

    If only we can keep everybody uninformed about possible exploits we will have no more unauthorized entrances, no siree!

    But wait, soon we will be ready for the next step: "security through stupidity" That's when nobody has the brains to behave in any other manner than our market research indicated. Yes, people it's true!

    Actually a recent study by bullshit resarch inc suggested that an average IQ lowered by 20% would benefit our economy. How high IQ do you need to shop and wiew our approved movies anyway? Then some people may upgrade their childrens brains with our groundbreaking brain# (brain-sharp) treatment, giving them the skills neccessary to keep control of the sheep^H^H^H^H^Hpopulation.

  • by aggressivepedestrian ( 149887 ) on Wednesday October 25, 2000 @05:32AM (#677698)
    Hacking tools don't crack systems, people do.
  • by lpontiac ( 173839 ) on Wednesday October 25, 2000 @04:21AM (#677699)
    ... where it's illegal to possess a portscanner unless you have your MCSE.
  • Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right:

    c) the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of depriving citizens of fair use rights, right to free expression, or other human rights as established by the Universal Declaration of Human Rights.

  • No doubt about it. If you kill off the chance for the average joe to persue his hobby all you will be left with is the 'allowed' folks (administrators, etc) and the real criminals who don't give a damn about laws either way. One of the things about having an open system with no laws is that faults show up much more readily when the entire (h/cr)acking community is involved.

    Laws like this are so rediculous in that they are fuelled by people who think they have their interests in the right place but they don't even begin to realize the situation. Law enforcement is feeling overwhelmed - give me a break, like one of the comments in the article said, no one has ever stolen money from a bank (that we know of) over the net. Maybe they should be worrying about real, tangible criminal activities instead of a bunch of 15 year old script kids up to nothing but mischief. It's all about power in the end I guess, and the authorities that be just can't stand not being at the top of the net ladder.

  • by Hairy_Potter ( 219096 ) on Wednesday October 25, 2000 @03:57AM (#677702) Homepage
    That they're making cracking illegal.

    They made drugs illegal a few years back, and it's really helped! You never see drugs, or hear about drugs anymore.
  • by Wakko Warner ( 324 ) on Wednesday October 25, 2000 @07:18AM (#677703) Homepage Journal
    We need
    to tell industry and our political figures that we WILL NOT stand for such things, and will fight them
    every step of the way!


    That's the problem, though. We need to do this and we need to do that, but, when it comes right down to it, how many of us actually get off our fucking asses and do anything? How many people who constantly whine and bitch as their freedoms are slowly usurped from them also support the EFF through donations? How many write (not email, WRITE) their congressman every time a boneheaded bill is introduced? Judging by the outcome of trials and the passage of various and sundry laws in the past few years, I'm willing to bet the number is pretty damned low.


    If bitching could really solve problems, slashdot would have ended world hunger by now.


    - A.P. (and, yes, I support the EFF. You should too.)

    --
    * CmdrTaco is an idiot.

  • by emag ( 4640 ) <slashdot@gur[ ].org ['ski' in gap]> on Wednesday October 25, 2000 @04:55AM (#677704) Homepage
    A loaded gun will kill someone.

    No, a loaded gun might kill someone, as will any number of other tools. I'm sure any enterprising individual would be able to find a way to kill someone with the contents of, say, a kitchen. Or a game closet. Or a pencil case. Or their car. Or a thimbleful of water.

    This brushes one of the things that really torques me off. A lot of people, whether they realize it or not, ignorantly assume that bullets have some magical property that causes them to instantly kill someone if they're hit with them. (Case in point, UPS guy to the front desk of my apartment complex when delivering a couple cases of ammo: "Whoever that guy is, you sure don't want to piss him off.")

    This simply isn't true. Yes, if you're shot, there's a chance you'll die. But unless it's a well-placed shot, it isn't likely. Especially when using non-hollowpoint bullets.

    Not to mention, all of my gun-weilding friends are some of the most responsible people I know. They're well aware of the potential for abuse that owning a firearm has, and always practice safe handling techniques, and pass on this knowledge and concern about safety whenever they introduce a new person to how much fun it is to blow away a paper target or go plinking. (You have no idea how satisfying it is to shoot surplus tax forms on Tax Day.) Coincidentally, these very same people are almost all highly skilled technically, and most are concerned with computer security in one way or another, and use knowledge of exploits and "hacking" tools to accomplish their day jobs.

    A loaded gun is probably less dangerous than a fueled-up car. And as far as children are concerned, less dangerous than any of: a pool, stairs, household cleaners, bicycles, a busy street.

    One of the problems, as I see it, is that there are just too many script kiddies out there who act without thinking. They have no sense of responsibility, so they have no way of realizing the harm their actions cause, or worse, delight in it. This doesn't mean that the rest of us should be prevented from using the same tools for useful purposes. It means we should make the victims less likely to be victims, through empowerment. That means publishing exploits, pressuring vendors to release fixes, and being constantly vigilant against future threats. Sticking our collective heads in the sand and loudly proclaiming there isn't a problem will just make it easier for the more pragmatic, less socially responsible to sneak up on us from behind.

    (damn, I didn't think I could pull that back on topic)

    --
    It's pretty pathetic when karma can drop when you do nothing
  • by paitre ( 32242 ) on Wednesday October 25, 2000 @04:14AM (#677705) Journal
    There's something that some of y'all are missing here. The distinction between what a treaty is, and what a law is. Note that my use of the word "state" is synonymous with "nation" vis a vis "nation-state".
    Basically: a treaty is an agreement between nations that amounts to a contract such that if X happens, then Y will occur. For example, one of the provisions of the NATO treaty is that if -any- member state is attacked, then retaliation is expected of all other members (ie: if Russia were to invade Germany, we'd be essentially obligated to wage war on Russia). Treaties can -also- state that each member state will agree to pass laws that will do X,Y,Z. That's what this one appears to be.
    A Treaty -is not- a law. However, due to it's nature as a contract, it can seem like it.
    A law, on the other hand, is legislation passed by the government of a given state. So, if the US were to sign on to this treaty (which thus far looks like it's primarily a European thing), we would be obligated by treaty to pass laws that meat the treaty's demands. The wonderful thing about the US signing treaties is that a treaty must be ratified by the Senate BEFORE the US will recognize our signature on the document as valid.

    IANAL, but this is what I seem to recall.
  • by Bazzargh ( 39195 ) on Wednesday October 25, 2000 @06:29AM (#677706)
    The only thing that is objectionable (but is pretty damn objectionable) in the treaty is the two lines making illegal:

    "the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5;"

    Everywhere else in the treaty actions are qualified so that you must also have had the _intent_ to break the law (breaking the law in this case is essentially causing criminal damage).
    If that qualification was added to this particular clause the whole thing would be pretty unobjectionable, viz:

    "the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5, with the intent of causing such an offence;"

    The lawyers would (as usual) have a field day with proving intent, though, but researchers/hobbyists/security specialists would be safe.
  • by EnderWiggnz ( 39214 ) on Wednesday October 25, 2000 @04:18AM (#677707)
    ok... i'm trying to picture this one...

    (Associated Press - Alcatraz) Today, in an effort to end the pampered style of geek prison life that so many convicted criminals have been accustomed to, The Rock was reopened for service today.

    "Hey, these guys managed to get T3 lines into every cell, and the guard door system was a joke, we think that they managed to hack the system so that it would let the doors open whenever they wanted.", said Red Bull, the head of HACK (H)ackers (A)re (C)riminals (K)ill 'em.

    "I wished that we could have continued using the death penalty against these evil terrorists and child pornographers, but the ACLU felt it necessary to defend these scumbags. Something about 'the punishment not fitting the crime' or other such nonsense"

    "Look, these felons have it better in prison, hell, their cells are over 4 times as big as a typical cubicle is, and they get in house laundry, THEY DONT EVER HAVE TO WORRY ABOUT DOING LAUNDRY AGAIN, and look this doesnt seem like a big point, but I've been to busts on these evil hackers, and their laundry piles up to huge amounts before they decide to do it. It's inhuman, I tell you.

    "I just wanted to make this prison term as much of a punishment as possible, so we are cutting these geeks off of their lifeline, and going back to all old-style technology. No computers, no net access, barely electricity.

    Maybe now these felons will get what they deserve.

    Ignorance is Strength!
    Freedom is slavery!
    Peace is War!
    Hacking is Evil!


    tagline

  • Washington, D.C. - In a stunning development just announced today, the United States, along with twenty other European nations, will soon make 'yo mama' jokes illegal. Without any regard to issues of free speech or free thought, representatives at the meeting have decided to make the words 'yo mama', when used in a joking context, a felony punishable by up to 5 years in prison and/or a $100,000 (or 100.000 Euros) fine.

    One stunned joker was quoted as saying "No way, dawg! Ain't no way they gonna take away my right to laugh at yo' mama!"

    Neither US or European representatives from the summit could be reached for comment.

    Please stay tuned for updates to this breaking story.
    -----
  • by Verteiron ( 224042 ) on Wednesday October 25, 2000 @04:15AM (#677709) Homepage
    Check out the text to the actual treaty here [coe.int]. Looks like the newest revision is only available as a Word doc, although there's a slightly older version available in HTML. Something worth noting, though: contrary to the implication of the article, the word "hack" or "hacking" does not appear anywhere in this draft. The "Illegal Access" section contains the phrase "A Party may require that the offence be committed either by infringing security measures or with the intent of obtaining computer data or other dishonest intent." IANAL, but I think this pretty much outlaws all white hat stuff.

    One of the interesting things about this, also, is the fact that it's a treaty. It basically says that all nations who sign/agree to it will create a set of a laws that accomplish the goals laid out in it. The actual laws themselves will be created by the countries affected by it, and those are what are really going to make "hacking", "cracking" or anything else illegal.
  • by American AC in Paris ( 230456 ) on Wednesday October 25, 2000 @04:15AM (#677710) Homepage
    You want to do something about this?

    Do you really, really want to do something about this?

    Then take off your asbestos underwear, sit down at your computer, read the actual draft treaty [coe.int] in it's current form, think about exactly why you feel this is a bad idea, write it out, revise it, proofread it, and send it to daj@coe.int for review by the people who are actually working on the treaty itself.

    This is the wonder of the Internet, folks. They want your input on this one.

    I can assure you, though, that they aren't scanning through Slashdot "this is so fscking typical" posts to get that feedback.

    If you care about this issue, save your flames, write out a thoughtful letter, send it to the commission, and post it here for others to read and expand upon. But for crying out loud, do something that actually has some chance of making a difference.

...there can be no public or private virtue unless the foundation of action is the practice of truth. - George Jacob Holyoake

Working...